Oscommerce
CVE-2012-5796
MEDIUM
Severity by source
AV:N/AC:M/Au:N/C:P/I:P/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
AV:N/AC:M/Au:N/C:P/I:P/A:N
Lifecycle Timeline
1DescriptionCVE.org
The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
AnalysisAI
The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows. Rated medium severity (CVSS 5.8), this vulnerability is remotely exploitable. Public exploit code available and no vendor patch available.
Technical ContextAI
This vulnerability is classified under CWE-20. The PayPal Pro module in osCommerce does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate. Affected products include: Oscommerce, Paypal Paypal Pro.
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Apply vendor patches when available. Implement network segmentation and monitoring as interim mitigations.
More in Oscommerce
View allA vulnerability, which was classified as critical, has been found in osCommerce 4. Rated critical severity (CVSS 9.8), t
osCommerce Phoenix CE before 1.0.5.4 allows OS command injection remotely. Rated critical severity (CVSS 9.8), this vuln
osCommerce Phoenix CE before 1.0.5.4 allows admin/define_language.php CSRF. Rated high severity (CVSS 8.8), this vulnera
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database q
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database q
osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database q
An issue was discovered in osCommerce v4, allows local attackers to bypass file upload restrictions and execute arbitrar
The PayPal Pro PayFlow EC module in osCommerce does not verify that the server hostname matches a domain name in the sub
The PayPal Pro PayFlow module in osCommerce does not verify that the server hostname matches a domain name in the subjec
The PayPal Express module in osCommerce does not verify that the server hostname matches a domain name in the subject's
The MoneyBookers module in osCommerce does not verify that the server hostname matches a domain name in the subject's Co
The Authorize.Net module in osCommerce does not verify that the server hostname matches a domain name in the subject's C
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today